search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.84k stars 5.91k forks source link

Verification Options do not Return Saved Transports for Credentials #16084

Open Jyosua opened 1 week ago

Jyosua commented 1 week ago

Describe the bug The transports saved with the credential during the registration request are not returned in the transports property of same credential within the Verification Options response provided by /webauthn/authenticate/options.

Note that I'm using the RC version of Spring Security 6.4.0.

To Reproduce

  1. Add a Security Configuration using the following implementation:

    @Configuration
class SecurityConfig {

@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
    http
        .webAuthn{ it
                .rpName("Example")
                .rpId("example.localhost")
                .allowedOrigins("https://example.localhost")
        }
        .authorizeRequests { it
                .anyRequest()
                .permitAll()
        }
        .csrf { it.disable() }

    return http.build()
}

val userDetails = User.withDefaultPasswordEncoder()
    .username("user")
    .password("password")
    .roles("USER")
    .build()

@Bean
fun userDetailsService(): UserDetailsService {
    return InMemoryUserDetailsManager(userDetails)
}
}
  2. Register a credential like the example in the docs but with an internal transport. Chrome virtual authenticator can be used to do this fairly easily. 
    {
"publicKey": {
"credential": {
  "id": "dYF7EGnRFFIXkpXi9XU2wg",
  "rawId": "dYF7EGnRFFIXkpXi9XU2wg",
  "response": {
    "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUy9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNhdAAAAALraVWanqkAfvZZFYZpVEg0AEHWBexBp0RRSF5KV4vV1NsKlAQIDJiABIVggQjmrekPGzyqtoKK9HPUH-8Z2FLpoqkklFpFPQVICQ3IiWCD6I9Jvmor685fOZOyGXqUd87tXfvJk8rxj9OhuZvUALA",
    "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiSl9RTi10SFJYRWVKYjlNcUNrWmFPLUdOVmlibXpGVGVWMk43Z0ptQUdrQSIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
    "transports": [
      "internal"
    ]
  },
  "type": "public-key",
  "clientExtensionResults": {},
  "authenticatorAttachment": "platform"
},
"label": "1password"
}
}
  3. POST to /webauthn/authenticate/options
  4. The resulting response will have the registered credential in the allowCredentials, but the transports array will be empty.

Expected behavior The request would return the credential in the allowCredentials with the same transport as was registered.